Wireshark-users: Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS s
From: Matthew <matthew1471@xxxxxxxxxxxxxxxxx>
Date: Mon, 14 Nov 2011 20:51:35 +0000
Thanks Mike, It just doesn't seem very portable taking it from one network to another. My custom wrapper works for now. I have downloaded the source code to Wireshark and will take a look see if it's a difficult thing to add. Hopefully it's just a minor change. Matthew On 13/11/2011 15:12, M Holt wrote: > Hi Matthew, > > I might be missing the obvious, but why not add a host entry on the > machine where you are reading the capture: > > C:\Users\<user>\AppData\Roaming\Wireshark\hosts > > 192.168.0.7 wireless > > Wireshark will look there first when resolving names. > > The above entry is on a Windows 7 system. > > -- Mike > > On Thu, Nov 10, 2011 at 8:29 PM, Frank Cui <frankcui24@xxxxxxxxx> wrote: >> Hi Matthew, >> >> I'm only a network admin, so I'm not familiar from the programming perspective. And if I am doing this, I would probably write a script(which is quick and dirty) using tools like scapy. >> >> Moreover If this would become a feature request, then you might need to take more possible conditions into account, and there also should be a solid reason for doing so. You could resort to the wireshark developer list for more help. >> >> Thanks, >> Frank >> >> Sent from my iPad >> >> On 2011-11-11, at 7:28 AM, Matthew <matthew1471@xxxxxxxxxxxxxxxxx> wrote: >> >>> Frank, >>> >>> Thanks for your reply. As this is not a feature built in can I raise >>> this as a feature request (at least as some command line option for >>> TShark, the -N argument[1] seems like a good place to put this, perhaps >>> using a character like "c" for cache?) >>> >>> I opted to write something that uses TShark to retrieve the DNS packets >>> (using the result code like you suggested), parse the results and then >>> re-run TShark with ip.addr == to the pre-parsed DNS response. It's a >>> horrible workaround but it works. >>> >>> Matthew >>> >>> [1] http://www.wireshark.org/docs/man-pages/tshark.html >>> >>> On 09/11/2011 13:55, Frank Cui wrote: >>>> I think this task cannot be done by just playing with the wireshark tool alone. You need to instruct the system to use the mapping relationship that already exists in the capture dump. >>>> >>>> Here is a brief description of the process that you could use to write a script. First use the tshark find the response packet AND result code=0(which means that the dns query is done successfully, note the actual field name could be something different). If there exists such packets, then subtract the name and ip in this packet. Lastly clear your dns cache, and add in the host file this mapping relationship. >>>> >>>> Hope this helps >>>> >>>> Frank >>>> Sent from my iPad >>>> >>>> On 2011-11-10, at 7:25 AM, Matthew <matthew1471@xxxxxxxxxxxxxxxxx> wrote: >>>> >>>>> Hello, >>>>> >>>>> I have already posted this to >>>>> http://ask.wireshark.org/questions/7339/parse-incoming-dns-but-do-not-query-dns-server >>>>> but know it is probably more likely to get answered on here: >>>>> >>>>> I have a packet capture from my LAN that contains a DNS query (wireless) >>>>> and response (192.168.0.7). >>>>> >>>>> When I copy it to another network and turn on name resolution it >>>>> attempts to ask the DNS server for the host name of the IP (192.168.0.7) >>>>> of the traffic... then gives up because the DNS server doesn't have it, >>>>> /but/ then notices that there is a DNS packet in the file already and >>>>> uses the results of that. The HTTP session is then showing a destination >>>>> of "wireless". >>>>> >>>>> Turning off host name resolution shows only connections to 192.168.0.7 >>>>> >>>>> How can I make Wireshark (or tshark) look at the DNS in the file and see >>>>> if it resolves the IP addresses to hostnames but *not* have it issue >>>>> queries to the DNS server of my machine which take a while to time out >>>>> and slow the loading of files down? >>>>> >>>>> Basically I want to do a filter on "ip.host == wireless" which the trace >>>>> contains the DNS request and response to (and it works if I leave name >>>>> resolution enabled even on a different network) but I want to cut out >>>>> querying my DNS servers (which turning on name resolution does). >>>>> >>>>> Thanks for your time, >>>>> Matthew >>>>> >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>>> ___________________________________________________________________________ >>>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>>> Archives: http://www.wireshark.org/lists/wireshark-users >>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >>> Archives: http://www.wireshark.org/lists/wireshark-users >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- From: Matthew
- Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- From: Frank Cui
- Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- From: Matthew
- Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- From: Frank Cui
- Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- From: M Holt
- [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- Prev by Date: Re: [Wireshark-users] ISDN Layer 3 decode
- Next by Date: [Wireshark-users] Tektronix K15 .rf5 file not opening in Wireshark 1.62...Invalid GET length
- Previous by thread: Re: [Wireshark-users] How to parse incoming DNS responses but do not query DNS server
- Next by thread: [Wireshark-users] different field use same filter
- Index(es):